Posted
by
Unknown Lamer
on Monday November 04, 2013 @10:03PM
from the bad-plan-with-expected-results dept.

ericgoldman writes "Terry Childs was a network engineer in San Francisco, and he was the only employee with passwords to the network. After he was fired, he withheld the passwords from his former employer, preventing his employer from controlling its own network. Recently, a California appeals court upheld his conviction for violating California's computer crime law, including a 4 year jail sentence and $1.5 million of restitution. The ruling (PDF) provides a good cautionary tale for anyone who thinks they can gain leverage over their employer or increase job security by controlling key passwords."

He was asked to give the passwords over during a meeting with several people who had not signed the appropriate papers for having said access and had not been documented by information/system security for having a right to the passwords. There was also a conference call being held on the phone in the room with unknown persons who would have then also been privy to the password divergence. Terry simple say "no" to diverging the passwords in that location, at that time, in that manner. In his contract, he had a duty to protect the passwords, and he was still an employee at that time. Giving up the passwords in that location at that time would have been a breach of his contract and he could have been fired on the spot for doing so. He was placed in an impossible situation, where they were firing him if he gave them the passwords or didn't give them the passwords. At that time, no one from security had authorize anyone else to have the passwords, and as such, Terry did the only thing he felt was correct, which was to attempt to give them to the only person who was in charge of the system, which was the mayor, who could then give them to whoever he felt like, in whatever manner he thought he should since it was not written in any contract that he had to protect the passwords or be fired for giving them to someone who had not filled out the proper paperwork and been given approval to have them and doing so in a location where only the person who had been authorized to have them would receive them.

Any other way is asking for problems. Even if the problem is simply 'i forgot the password'.

Or hey. Maybe your employer is a moron.

That was, in fact, exactly the situation Childs' boss was trying to rectifiy. Childs knew it, and refused to turn over passwords to his direct supervisor even when told, in person, by the Mayor, that his supervisor was authorized to have them. He also configured the network to not able to to reboot after a power outage that exceeded the UPS time unless he, personally, was there, and refused to make backups of the configuration.

And keep in mind, the network in question included their 911 system.

The asshole belongs in prison. He had multiple chances to avoid it, including after he was charged. He chose prison rather than allow the situation you describe to end.

Except when this story was originally reported, the city COULD use the network. They chose not to, claiming that they thought he might have compromised the system in other ways. As well as it being originally reported that Terry Childs continually offered to divulge the password to the individual and in the way that the cities security policy dictated. The city refused to follow their own procedure, and insisted that he violate the city's security policies by divulging the passwords to an unauthorized individual over the phone, which was also unauthorized.

Unless new facts have come to light that contradicted what was reported when it happened, Terry Childs has been sent to jail as an innocent man because he didn't realize that the law is a joke and works at the whim of those in power.

No, seriously, YOUR argument is bullshit. Why? Because never once in that entire rant did you address any of the *specifics* of the actual case.

In the end Childs KNOWINGLY AND WITHOUT PERMISSION *changed* the passwords on a bunch of computers and then refused to give the owners of those devices (the city of San Francisco) those passwords. If for some bizarre and horrible reason by normal operational procedure he was just the only person who knew these passwords, was fired, and said "fuck you", that would be one thing, and I'd agree with you. But he intentionally locked down the systems and refused to unlock them - both before and after he was fired. He even claimed that the reason was because "he didn't trust his supervisors with them". That's pretty much a textbook application of the law, and could probably be extended to extortion if they wanted...

it basically shut down the city of san francisco for at least two weeks

I remember that. The BART stopped running, the metro stopped running, the traffic signals were out, the police had to stop policing, you couln't pay your traffic tickets, you couldn't renew your drivers licence. Fires raged out of control because of the lack of fireman. I think it cost the city close to a billion dollars just for this one guy. Lex Luthor took over as crime boss and extored money out of everyone. Meteors rained firey death on all San Francicicans. A plague of frogs of biblical preportions visited the city. Fuck.. then there were the locusts. Fucking locusts! Yeah, fuck that Childs guy!

Oh no, wait. I don't remember that because none of it happened at all! The city ran like normal like nothing happened.

Now I know why the mood has changed here at slashdot. The only people up are idiots who don't know what happened, and enjoy making things up.

In December 2007, the city&#8223;s Human Services Agency (HSA) experienced apower outage. When power was restored, its computers could not connect toFiberWAN&mdash;the configurations of its CE device had been erased because they had beensaved to VRAM. Childs reloaded the configurations and got the system reconnected.When the HSA information security officer learned that the CE configurations had beenstored in VRAM, he protested to Childs that this was unacceptable. Citing securityconcerns, Childs explained that he wanted to prevent a physical connection to the CE thatwould allow someone to obtain the configurations using the password recovery feature.He suggested disabling the password recovery feature instead; the information securityofficer agreed. Tong also agreed to this solution, as it would address a concern abouthacking into the HSA&#8223;s CE device. Soon, Childs disabled the password recovery featureon all CE devices citywide, and there were no backup configurations on any of the city&#8223;sCE devices. As the password recovery feature could not be disabled on core PE devices,Childs erased their configurations that had been stored on NVRAM.

Except when this story was originally reported, the city COULD use the network. They chose not to, claiming that they thought he might have compromised the system in other ways. As well as it being originally reported that Terry Childs continually offered to divulge the password to the individual and in the way that the cities security policy dictated. The city refused to follow their own procedure, and insisted that he violate the city's security policies by divulging the passwords to an unauthorized individual over the phone, which was also unauthorized.
Unless new facts have come to light that contradicted what was reported when it happened, Terry Childs has been sent to jail as an innocent man because he didn't realize that the law is a joke and works at the whim of those in power.

No, he went to jail because he deliberately setup the system so he was the only one that knew the passwords; and then refused to divulge them. He didn't simply forget his or refuse to violate procedures; he tried to use what he did as leverage and that is what he went to jail for. What he did is no different then any other type of extortion.